Prevent unauthorized access

[InfoNow]

I have Windows 2003 server with DHCP setup. Is there a way to prevent rogue devices from obtaining an IP address and get into my network? Is there some sort notification that will let me know if a rogue device is attempting to get into my network? I realized if they know my ip range, that they can manually entered into the setting, but at least this way it won't do it automatically.

tia

 

[cyberspace]

Yes - you can set up MAC address authentication. This will ensure that only machines that YOU specify can obtain an IP address from the DHCP pool. You could then also reserve a certain IP address for a particular host.

For additional security, make sure the DHCP pool can only assign as many IP addresses as there are hosts on the network....so say you have 23 machines, have a DHCP pool that reflects this, while not forgetting servers, etc.

Is the DHCP pool on your router or server? If on the router, there will be a clear section for it. If on the Server, well I am unfamiliar with 2003 server so can't help there i'm afraid.

Depending on the size of your network will depend on how easy this is for you.

 

[Andyleates]

Worth mentioning that MAC address spoofing is not exactly hard to do....

Andy Leates MCSE CCNA MCP+I

 

[InfoNow]

Thank you for the quick reply. I have DHCP running on the 2003 server. I don't see any option in the DHCP server to do MAC address authentication. Can you point me in the right direction?

Andy,
Yes I realized this as well, but my main concern is people bring in their infected laptop and hook it up to my network.

tia

 

[JOAMON]

Are you using Cisco managed switches? If so you could also enable port security on each port for a particular mac-address and also shutdown any unused ports.

 

[cyberspace]

Yes, it is simple to Spoof a MAC address, but it's not so simple to spoof it to an allowed address unless you know of one that is allowed! Plus, at a school I doubt that a great many people will know how to do it!

Joamon makes a good point about port security, although I dont think it would be suitable to assign just one MAC address to a port if there are likely to be several users hooking up their laptops.

InfoNow, this may be of use to you:

http://www.windowsecurity.com/articles/DHCP-Security-Part1.html

 

[InfoNow]

Thank you for all the help guys.
Cyberspace, the article helps, but it kinda left me somehow feeling helpless. Anyway, I started to add users to the reservation list in the DHCP server. I have about 150 users to do, so I better start working on it. The other 50 in the lease pool will be assigned to fake MAC addresses so the DHCP server won't lease them out.

Joamon, we do use a managed Cisco switch and a Cisco router, but I haven't a clue about Cisco devices yet. Maybe in the near future I will study them. I don't want to mess around with a live environment, so I will have to find some spare parts to play around with.

I do have one question:
Is there anyway that the DHCP server can send me an email alert when there is a lease denied? I can see it in the log, but not sure if there is a way to have it notified me.

TIA

 

[JOAMON]

The nice thing about doing it at the switch would be to set it to shutdown the port on a violation. Then you will get a phone call from the user that violated security telling you that they cannot connect to the internet or network resources with either computer. The switch will log the violation in its buffer or syslog server if you are using one.

 

[InfoNow]

Joamon,
That's exactly what wanted. What would be really cool is if there is a way to manage like a table of all my MAC addresses on the switch, so that the port is not tied to just one MAC address. Instead, any MAC address that is on the table will be allowed to be on.

 

[cyberspace]

InfoNow, as I mentioned that before you can do that with MAC address authentication....just depends on the switch as to wether you can store it on the switch, of if 20003 server will do it.

Did you have any luck getting information for this in Windows Server 2003?

 

[technome]

Sounds like you need a security key certificate for all machine allowed on the network..no key no access, spoofing would be useless

........................................
Chernobyl disaster..a must see pictorial

http://www.kiddofspeed.com/default.htm

 

[InfoNow]

Cyberspace,
I don't know if my Cisco switch have that ability. I will have to do some research on that. I am currently using reservation on the DHCP server off of a Windows 2003. Reservation maps MAC address to IP address directly.

Technome,
Can you please give me more info regarding security key certificate? That sound interesting.

tia

 

[Dohnix]

802.1x

Most switches support it these days, and if the client can't authenticate it can't get onto the network. If you have a W2K3 domain environment you can use group policy to force the devices to enroll for a certificate when they connect to a trusted switch, then use that cert for authentication to your edge switches.

Granted, it's a pain in the arse to set up a PKI and all the GPs to support it, but compared to a huge MAC address database?

HTH